Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
LAN clients get connection denied by Apache
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: LAN clients get connection denied by Apache

Hybrid View

  1. #1

    LAN clients get connection denied by Apache

    Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.

    #telnet 192.168.0.1 80
    Trying 192.168.0.1...
    telnet: connect to address 192.168.0.1: Connection refused

    Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

    My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

    My Apache IP: 192.168.0.1 ----eth1

    Here's some part of my firewall script:


    IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
    IPADDR2=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1" # Internal LAN interface
    INTRANET="192.168.0.0/16" # Private IP Addr Range
    PRIMARY_NAMESERVER="203.x.x.3"
    SECONDARY_NAMESERVER="203.x.x.4"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"
    BROADCAST_SRC="0.0.0.0"
    BROADCAST_DEST="255.255.255.255"
    PRIVPORTS="0:1023"
    UNPRIVPORTS="1024:"

    SSH_LOCAL_PORTS="1022:65535"
    SSH_REMOTE_PORTS="513:65535"

    TRACEROUTE_SRC_PORTS="32769:65535"
    TRACEROUTE_DEST_PORTS="33434:33523"

    iptables -F
    iptables -F -t nat
    iptables -X

    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP

    iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

    # Unlimited traffic within the local network.
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT

    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

    # Allow all internal packets out of our network.
    iptables -A FORWARD -m state --state NEW,ESTABLISHED \
    -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

    # Allow the associated packets with those connections back in.
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
    -i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

    iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

    iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
    --state NEW,INVALID -j REJECT


    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
    -s $IPADDR2 --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 443 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 443 -j ACCEPT

    # ------------------------------------------------------------------
    # WWW-CACHE client
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 3128 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 3128 -j ACCEPT

    # ------------------------------------------------------------------
    # TRANSPARENT PROXY client
    # ------------------------------------------------------------------

    iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
    --destination-port 80 -j REDIRECT --to-port 3128

    Any suggestions? Pls help.

    rhonneil


  2. #2

    Re:LAN clients get connection denied by Apache

    Why are you telnetting to port 80? If http was to return a shell it would probably work. If you really want to use telnet, open port 23, and setup a telnet service.

  3. #3

    Re:LAN clients get connection denied by Apache

    [quote author=Master Copy link=board=4;threadid=8072;start=0#msg73452 date=1068089440]
    Why are you telnetting to port 80? If http was to return a shell it would probably work. If you really want to use telnet, open port 23, and setup a telnet service.
    [/quote]

    Hi!

    Yes, indeed my http service is running. In fact, I can access webpages when http is running without a firewall. However, it's the other way around, when my firewall is running I can't access my apache webpages.

    I tried to modify this entry:
    ------------------------------------------------------------------
    # TRANSPARENT PROXY client
    # ------------------------------------------------------------------

    iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
    --destination-port 80 -j REDIRECT --to-port 3128

    and change port 80 to 8080. And now, I can access webpages on my apache using ONLY IP address [192.168.0.1] typed-in in the web address bar. But not netbios name [www.mydomain.com] and also when using my external IP [203.x.x.1]. Though these entries have been defined on my DNS Records. And are working without a problem.

    Here's my firewall rule:

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
    -s $IPADDR2 --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    WHERE MY:

    IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
    IPADDR2=`ifconfig eth1 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`

    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1" # Internal LAN interface
    INTRANET="192.168.0.0/16" # Private IP Addr Range
    PRIMARY_NAMESERVER="203.x.x.3"
    SECONDARY_NAMESERVER="203.x.x.4"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"
    BROADCAST_SRC="0.0.0.0"
    BROADCAST_DEST="255.255.255.255"
    PRIVPORTS="0:1023"
    UNPRIVPORTS="1024:"

    I just used telnet from my client to check whether http is rejected my request to access port 80.

    Thank you very much for your time. I really appreciate your help.

    rhonneil

  4. #4

    Re:LAN clients get connection denied by Apache

    Sorry about that. I see where you are going with it now. The telnet threw me off.

    Have you updated your /etc/hosts, and /etc/host.allow files? Just add a

    192.168.0.1 myhost myhost.mydomain.com

    to rid yourself of having to enter the IP.

    Have you seen what tcpdump spits out on the packets trying to come in, or checked the firewall log?

    iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT
    Have you tried using an "any" function to see if this is where it's holding it back?

    On the source ports for some, aren't you going through squid? Is it trying to go through 3128?

  5. #5

    Re:LAN clients get connection denied by Apache

    [quote author=Master Copy link=board=4;threadid=8072;start=0#msg73454 date=1068094696]
    Sorry about that. I see where you are going with it now. The telnet threw me off.

    Have you updated your /etc/hosts, and /etc/host.allow files? Just add a

    192.168.0.1 myhost myhost.mydomain.com

    to rid yourself of having to enter the IP.
    [/quote]

    Yes, I already have included this in my /etc/hosts
    I don't have /etc/host.allow file, I removed it. All access/permission are provided by my iptables.

    Have you seen what tcpdump spits out on the packets trying to come in, or checked the firewall log?
    Yes, packets are trying to come in. But not successful

    iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

    Have you tried using an "any" function to see if this is where it's holding it back?
    I have commented out this entries and there's was no effect so I now removed it.

    I was just added this entries and was trying what could be it's effect. Thanks for the comment.

    On the source ports for some, aren't you going through squid? Is it trying to go through 3128?
    I am using transparent proxy for my squid to speed up access to web pages at port 3128. And was not configured to act as proxy-forward not at this moment. If this is what you mean to say.

    Now, my problem was my apache can't be accessed via web with a firewall running. Shutting the firewall however, provides access to my webpages.

    What could be wrong with this firewall entries:

    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 443 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 443 -j ACCEPT

    # ------------------------------------------------------------------
    # WWW-CACHE client
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 3128 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 3128 -j ACCEPT

    # ------------------------------------------------------------------
    # TRANSPARENT PROXY client
    # ------------------------------------------------------------------

    iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
    --destination-port 8080 -j REDIRECT --to-port 3128


    Thanks for you help

    rhonneil

  6. #6

    Re:LAN clients get connection denied by Apache

    So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us.

    From what I've collected, you can access from the internal private network. correct?

    Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server?

    Just some last minute ideas. I'll read it more carefully tomorrow when I'm awake. ;D

  7. #7

    Re:LAN clients get connection denied by Apache

    [quote author=Master Copy link=board=4;threadid=8072;start=0#msg73463 date=1068102856]
    So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us. [/quote]

    Yes, I can't gen into my apache server despite iptable rules I set.

    From what I've collected, you can access from the internal private network. correct?
    Yes you're right. Even when my firewall is running.

    Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server? #
    Yes you're right ! --syn dissallow a syn flag.

    Also, my FTP service can pass successfully using syn and ack to my server using $EXTERNAL_INTERFACE, iptable entry as follows:

    ------------------------------------------------------------------
    # FTP client (21)
    # ------------------------------------------------------------------
    #
    # Outgoing request

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 21 -j ACCEPT

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 21 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    # PORT mode data channel

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
    --source-port 20 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 20 -j ACCEPT

    thanks a million,

    rhonneil

  8. #8

    Re:LAN clients get connection denied by Apache


    Also, I made the following rule which allows my LAN to access my apache using NAME address [www.mycompany.com]. Previously I can only open my apache when using IP address.

    iptables -A INPUT -i $LOCAL_INTERFACE_1 -p tcp --destination-port 80 -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -p tcp --source-port 80 --destination-port $UNPRIVPORTS -j ACCEPT

    Now, my remaining problem is that whenever I access my webpages from the internet I get refused connection.
    Pls see my firewall rule, hope you could make recommendations.

    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
    --source-port 80
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
    -s $IPADDR --source-port $UNPRIVPORTS
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
    --source-port 443
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
    -s $IPADDR --source-port $UNPRIVPORTS
    --destination-port 443 -j ACCEPT

    # ------------------------------------------------------------------
    # WWW-CACHE client
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn
    --source-port 3128
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp
    -s $IPADDR --source-port $UNPRIVPORTS
    --destination-port 3128 -j ACCEPT

    Thanks a million for your help.

    rhonneil

  9. #9
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:LAN clients get connection denied by Apache

    [quote author=rhonneil link=board=4;threadid=8072;start=0#msg73450 date=1068088118]
    Hi Gurus out there could you pls help me with my problem. Iam running a newly installed Apache-2.x on my RH9.0 Server. My problem was everytime my LAN client want to access my Apache they are being refused to make connections. But when I turn off my firewall clients can freely access webpages.
    [/quote]

    Alright, analyzing a little bit section by section


    #telnet 192.168.0.1 80
    Trying 192.168.0.1...
    telnet: connect to address 192.168.0.1: Connection refused

    Im quite sure the problem was with my firewall rule. Could anyone pls help me what rule should allow my LAN to access my apache server?

    My other services like Squid Proxy, Ftp and other services are running ok and my clients can freely access those services without any problem. Also, I use this as Gateway to my LAN.

    My Apache IP: 192.168.0.1 ----eth1

    Here's some part of my firewall script:
    Firewall script starts below.

    IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
    IPADDR2=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d " " -f 1`
    I guess you musta modified someone else's script or something.. otherwise why have two variables for the same IP?


    EXTERNAL_INTERFACE="eth0"
    LOOPBACK_INTERFACE="lo"
    LOCAL_INTERFACE_1="eth1" # Internal LAN interface
    INTRANET="192.168.0.0/16" # Private IP Addr Range
    PRIMARY_NAMESERVER="203.x.x.3"
    SECONDARY_NAMESERVER="203.x.x.4"
    LOOPBACK="127.0.0.0/8"
    CLASS_A="10.0.0.0/8"
    CLASS_B="172.16.0.0/12"
    CLASS_C="192.168.0.0/16"
    CLASS_D_MULTICAST="224.0.0.0/4"
    CLASS_E_RESERVED_NET="240.0.0.0/5"
    BROADCAST_SRC="0.0.0.0"
    BROADCAST_DEST="255.255.255.255"
    PRIVPORTS="0:1023"
    UNPRIVPORTS="1024:"

    SSH_LOCAL_PORTS="1022:65535"
    SSH_REMOTE_PORTS="513:65535"

    TRACEROUTE_SRC_PORTS="32769:65535"
    TRACEROUTE_DEST_PORTS="33434:33523"
    Bunch of variables set

    iptables -F
    iptables -F -t nat
    iptables -X
    Flushing iptables


    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    Default policy is drop for everything.


    iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
    iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
    All traffic coming from the interface "lo" is accepted, as is all traffic destined for it.


    # Unlimited traffic within the local network.
    iptables -A INPUT -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT
    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT
    All traffic coming from/going to 192.168.0.0/16 is accepted


    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    All remaining TCP packets on the input chain are dropped.

    Er, what? That can't be good if you want to a server, the packets destined for it are dropped right here. Atleast, I'm pretty sure that's what you just did with that rule. Remember, the first rule that matches a packet is the one used.

    iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
    iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP

    # Allow all internal packets out of our network.
    iptables -A FORWARD -m state --state NEW,ESTABLISHED \
    -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT

    # Allow the associated packets with those connections back in.
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
    -i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT

    iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE

    iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \
    --state NEW,INVALID -j REJECT


    # ------------------------------------------------------------------
    # HTTP client (80)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    iptables -A INPUT -i $LOCAL_INTERFACE -p tcp ! --syn \
    --source-port 80 \
    -d $IPADDR2 --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $LOCAL_INTERFACE -p tcp \
    -s $IPADDR2 --source-port $UNPRIVPORTS \
    --destination-port 80 -j ACCEPT

    # ------------------------------------------------------------------
    # HTTPS client (443)
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 443 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 443 -j ACCEPT

    # ------------------------------------------------------------------
    # WWW-CACHE client
    # ------------------------------------------------------------------

    iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
    --source-port 3128 \
    -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR --source-port $UNPRIVPORTS \
    --destination-port 3128 -j ACCEPT

    # ------------------------------------------------------------------
    # TRANSPARENT PROXY client
    # ------------------------------------------------------------------

    iptables -t nat -A PREROUTING -i $LOCAL_INTERFACE_1 -p tcp \
    --destination-port 80 -j REDIRECT --to-port 3128

    Any suggestions? Pls help.

    rhonneil


  10. #10
    Senior Member
    Join Date
    May 2001
    Posts
    345

    Re:LAN clients get connection denied by Apache

    [quote author=Master Copy link=board=4;threadid=8072;start=0#msg73463 date=1068102856]
    So you can't get to the server at all from outside? Is that what you are saying? I'm sorry for all the questions, just throwing some stuff out that might shed some light on both of us.

    From what I've collected, you can access from the internal private network. correct?

    Please excuse my rusty iptable knowledge. Doesn't the "! --syn" disallow a syn flag? Have you tried passing SYN and ACK to that port from $EXTERNAL to the server?

    Just some last minute ideas. I'll read it more carefully tomorrow when I'm awake. ;D

    [/quote]

    Yeah, that was confusing me, "LAN clients" I would take to mean the internal network but if that can connect okay even when firewall is running it's gotta be the external stuff he's having probs with?

Similar Threads

  1. Replies: 0
    Last Post: 12-06-2007, 04:52 PM
  2. Replies: 2
    Last Post: 06-13-2007, 04:49 PM
  3. apache server with SSL connection
    By erictcy in forum Linux - General Topics
    Replies: 0
    Last Post: 10-21-2004, 02:15 AM
  4. Access Denied
    By NewGuy in forum Linux - General Topics
    Replies: 3
    Last Post: 06-09-2002, 07:32 PM
  5. permission denied, wtf?
    By boblucci in forum Linux - General Topics
    Replies: 20
    Last Post: 11-30-2001, 12:19 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •